Access Keys Are Hardcoded on the EC2 Box. Just Rotate Them?

Beginner ~10 min read
AWSSecurity

Scenario

An application on EC2 talks to AWS services using long-lived access keys sitting in a config file on the instance. The keys belong to an old IAM user with broad permissions, they have never been rotated, and the instance still allows IMDSv1. Now one of those key pairs has been compromised, and the team needs to respond.

The Quick Fix on the Table

A teammate proposes the minimal loop: deactivate the leaked pair, mint a new access key for the same IAM user, paste it into the same config file, and call the incident closed. Ten minutes, no architecture changes, everything keeps working exactly as before.

Interview · Round 1

The quick fix is on the table and the room is waiting for your call. Would you sign off on it? Take a position and justify it — out loud or on paper — before revealing the analysis.